Overview
- NHS England instructed teams to switch open GitHub projects to private by May 11, describing the move as temporary and approved by its Engineering Board.
- Internal guidance says public code can expose design choices and configuration details that advanced AI, including Anthropic’s Mythos, can ingest to identify exploitable weaknesses.
- The order departs from the NHS service rule that publicly funded software should be released as open source for reuse, and no end date has been given for the restriction.
- An open letter urging reversal has drawn hundreds of signatures, including Cory Doctorow and former health secretary Matt Hancock, who say closing repos will weaken transparency and community oversight.
- Security experts highlight that the UK’s AI Security Institute judged Mythos mainly effective against weak systems, argue bigger threats come from supply-chain bugs and poor credential hygiene, and note many NHS repos are documentation or internal tools rather than sensitive code.